Ever-evolving list of tshark command lines I use for various purposes, with a goal of avoiding trolling through wireshark and tcpdump man pages every time to find the filters. Generally adding a -V, -VV or -VVV switch increases verbosity levels. I also usually prepend the tshark command with nice -n 19 ionice -c3 to try to minimize processor (CPU) and disk I/O usage when running tshark.
- Monitor DECnet-UDP bridged traffic to HECnet. The following is for the VPS hosting CLOUDY:: and JUICHI:: which bridges DECnet over UDP to HECnet update host and QCOCAL:: hosted on sanyalnet-openvms-vax.freeddns.org (described in my post here):
# tshark -i ens33 -f "host psilo.update.uu.se" -f "host sanyalnet-openvms-vax.freeddns.org" -f "udp port 4711" -f "udp port 4712"
- Capture all NTP traffic:
# tshark -i ens33 -f "udp port 123"
- Capture all NTP server traffic. This mostly logs NTP time served by this server to other hosts.
# tshark -i ens33 -f "udp port 123" | grep "server"
- To capture all NTP traffic for this host serving time to other hosts, grep like follows:
# tshark -i ens33 -f "udp port 123" | egrep "220.127.116.11 ->" | grep server
- Capture all NTP client traffic. This mostly logs NTP traffic that synchronizes this host from remote clock source hosts.
# tshark -i ens33 -f "udp port 123" | grep "client"
- Capture all traffic to SanyalCraft Minecraft server (on port 25565) and our experimental Minecraft server on port 25566:
# tshark -i ens33 -f "tcp port 25565" -f "tcp port 25566"